[SCM] Samba Shared Repository - branch v4-20-test updated
Jule Anger
janger at samba.org
Tue Apr 16 12:25:01 UTC 2024
The branch, v4-20-test has been updated
via 215bb9bd48e Do not fail checksums for RFC8009 types
via db60a1947b8 s4:dns_server: less noisy, more informative debug messages
via 9155d89a2ae packaging: Provide a systemd service file for samba-bgqd
from 077f39baf7c libcli/http: Detect unsupported Transfer-encoding type
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 215bb9bd48e9aae04ff39633f6dd9255a989bf98
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu Jun 22 09:56:12 2023 +0300
Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8e931fce126e8c1128da893c806702731c08758a)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224
commit db60a1947b88a8ddb289f63ac22a6d7b1500f0df
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Apr 11 11:52:14 2024 +1200
s4:dns_server: less noisy, more informative debug messages
This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224
(cherry picked from commit dde973d170e479632d1a411279f4f0fad6608539)
commit 9155d89a2ae04f45d809c46129687c6f5a510a0d
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 4 10:58:23 2024 +0100
packaging: Provide a systemd service file for samba-bgqd
There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit c97071726e163b40f0e391af70e81b3e6c1ab0eb)
-----------------------------------------------------------------------
Summary of changes:
auth/kerberos/kerberos_pac.c | 47 +++++++++++++---------
lib/krb5_wrap/krb5_samba.h | 28 +++++++++++++
.../{samba.service.in => samba-bgqd.service.in} | 9 ++---
packaging/wscript_build | 3 +-
source4/dns_server/dnsserver_common.c | 9 +++--
5 files changed, 67 insertions(+), 29 deletions(-)
copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%)
Changeset truncated at 500 lines:
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index ae4557bbd6f..b6272ac15eb 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -33,6 +33,7 @@
#include "librpc/gen_ndr/auth.h"
#include "auth/common_auth.h"
#include "auth/kerberos/pac_utils.h"
+#include "lib/krb5_wrap/krb5_samba.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
struct PAC_SIGNATURE_DATA *sig,
@@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_keyusage usage = 0;
krb5_boolean checksum_valid = false;
krb5_data input;
-
- switch (sig->type) {
- case CKSUMTYPE_HMAC_MD5:
- /* ignores the key type */
- break;
- case CKSUMTYPE_HMAC_SHA1_96_AES_256:
- if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
- return EINVAL;
- }
- /* ok */
- break;
- case CKSUMTYPE_HMAC_SHA1_96_AES_128:
- if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
- return EINVAL;
+ size_t idx = 0;
+ struct {
+ krb5_cksumtype cksum_type;
+ krb5_enctype enc_type;
+ } supported_types[] = {
+ {CKSUMTYPE_HMAC_SHA1_96_AES_256, ENCTYPE_AES256_CTS_HMAC_SHA1_96},
+ {CKSUMTYPE_HMAC_SHA1_96_AES_128, ENCTYPE_AES128_CTS_HMAC_SHA1_96},
+ /* RFC8009 types. Not supported by AD yet but used by FreeIPA and MIT Kerberos */
+ {CKSUMTYPE_HMAC_SHA256_128_AES128, ENCTYPE_AES128_CTS_HMAC_SHA256_128},
+ {CKSUMTYPE_HMAC_SHA384_192_AES256, ENCTYPE_AES256_CTS_HMAC_SHA384_192},
+ {0, 0},
+ };
+
+ for(idx = 0; supported_types[idx].cksum_type != 0; idx++) {
+ if (sig->type == supported_types[idx].cksum_type) {
+ if (KRB5_KEY_TYPE(keyblock) != supported_types[idx].enc_type) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
}
- /* ok */
- break;
- default:
- DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not supported\n",
- sig->type));
+ }
+
+ /* do not do key type check for HMAC-MD5 */
+ if ((sig->type != CKSUMTYPE_HMAC_MD5) &&
+ (supported_types[idx].cksum_type == 0)) {
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
return EINVAL;
}
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index e158a404dea..795106453c9 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -88,6 +88,34 @@
#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
#endif
+/*
+ * RFC8009 encryption types' defines have different names:
+ *
+ * KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 in Heimdal
+ * ENCTYPE_AES128_CTS_HMAC_SHA256_128 in MIT
+ *
+ * and
+ *
+ * KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 in Heimdal
+ * ENCTYPE_AES256_CTS_HMAC_SHA384_192 in MIT
+ */
+#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA256_128)
+#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
+#endif
+#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA384_192)
+#define ENCTYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
+#endif
+
+/*
+ * Same for older encryption types, rename to have the same defines
+ */
+#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA1_96)
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#endif
+#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#endif
+
/*
* KRB5_KU_OTHER_ENCRYPTED in Heimdal
* KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
diff --git a/packaging/systemd/samba.service.in b/packaging/systemd/samba-bgqd.service.in
similarity index 50%
copy from packaging/systemd/samba.service.in
copy to packaging/systemd/samba-bgqd.service.in
index e4baee1aeec..0254ebd59be 100644
--- a/packaging/systemd/samba.service.in
+++ b/packaging/systemd/samba-bgqd.service.in
@@ -1,17 +1,16 @@
[Unit]
-Description=Samba AD Daemon
-Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
+Description=Samba Background Queue Daemon for printing-related jobs
+Documentation=man:samba-bgqd(8) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target
[Service]
Type=notify
-PIDFile=@PIDDIR@/samba.pid
LimitNOFILE=16384
+PIDFile=@PIDDIR@/samba-bgqd.pid
EnvironmentFile=- at SYSCONFDIR@/sysconfig/samba
-ExecStart=@SBINDIR@/samba --foreground --no-process-group $SAMBAOPTIONS
+ExecStart=@LIBEXECDIR@/samba/samba-bgqd --foreground --no-process-group $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
- at systemd_samba_extra@
[Install]
WantedBy=multi-user.target
diff --git a/packaging/wscript_build b/packaging/wscript_build
index 217bd996348..dc95bebf1c6 100644
--- a/packaging/wscript_build
+++ b/packaging/wscript_build
@@ -4,7 +4,8 @@ systemd_services = [
'systemd/smb.service',
'systemd/nmb.service',
'systemd/winbind.service',
- 'systemd/samba.service'
+ 'systemd/samba.service',
+ 'systemd/samba-bgqd.service',
]
for srv in systemd_services:
diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c
index fbe39d99bf0..aba7f4128b2 100644
--- a/source4/dns_server/dnsserver_common.c
+++ b/source4/dns_server/dnsserver_common.c
@@ -1034,10 +1034,11 @@ WERROR dns_common_replace(struct ldb_context *samdb,
* record.
*/
if (records[i].data.EntombedTime != 0) {
- if (rec_count != 1) {
- DBG_ERR("tombstone record has %u neighbour "
- "records.\n",
- rec_count - 1);
+ if (rec_count != 1 && DEBUGLVL(DBGLVL_NOTICE)) {
+ DBG_NOTICE("tombstone record [%u] has "
+ "%u neighbour records.\n",
+ i, rec_count - 1);
+ NDR_PRINT_DEBUG(dnsp_DnssrvRpcRecord, &records[i]);
}
was_tombstoned = true;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list